`apiRevision` flag isn't working in Bicep template - azure

I am using Bicep to deploy open api json into Azure API Management. The snippet looks like this.
resource fuseintegrationsapi 'Microsoft.ApiManagement/service/apis#2021-08-01' = {
name: '${apim.name}/integrations-api-${environment_name}'
properties: {
description: 'Contains integrations apis used to control the platform.'
type: 'http'
apiRevision: '1234'
isCurrent: true
subscriptionRequired: false
displayName: 'Integrations Api'
serviceUrl: '${api_backend_url}/api/test/v1/integrations'
path: '${environment_name}/api/test/v1/integrations'
protocols: [
protocol
]
value: api_link
format: 'openapi+json-link'
apiType: 'http'
}
dependsOn: [
api2
]
resource symbolicname 'policies' = {
name: 'policy'
properties: {
value: anonymous_operation_policy
format: 'rawxml'
}
}
}
Even though revision is hardcoded to 1234 it's always using default 1 and the API is not updating with latest open api specification.

I had the same problem and figured out that you have to put the revision in the name also.
name: '${apim.name}/integrations-api-${environment_name};rev=1234'

Related

Log Query Alert Example

I am designing a monitoring solution for a project and would like to create some alert rules for certain resources (for example application insights).
If I'd like to set up a log search alert, I need to define a specific query and tell the alert what to do.
However, I have not written a log query alert before and do not know how I could set that up.
Currently, I have written an example for a log search in Bicep:
#description('Location of the resource.')
param location string
#description('Log Analytics workspace ID to associate with your Application Insights resource.')
param workspaceId string
#allowed([
0
1
2
3
4])
#description('Severity of the alert.')
param severity int = 2
resource appInsightsLogRule 'Microsoft.Insights/scheduledQueryRules#2022-06-15' = {
name: appInsightsLogRuleName
location: location
properties: {
displayName: appInsightsLogRuleName
severity: severity
enabled: true
evaluationFrequency: 'PT5M'
scopes: [
workspaceId
]
targetResourceTypes: [
'Microsoft.Insights/components'
]
windowSize: 'PT5M'
criteria: {
allOf: [
{
query: 'tbd.'
timeAggregation: 'Count'
dimensions: []
operator: 'GreaterThan'
threshold: 0
failingPeriods: {
numberOfEvaluationPeriods: 1
minFailingPeriodsToAlert: 3
}
}
]
}
autoMitigate: true
actions: {
actionGroups: [
actiongroups_team_blue
]
}
}
}
The query is currently still empty, as I don't know how I could fill this one.
Could someone maybe please share samples or queries for a useful scenario (for example Application Insights, Network Watcher, Sentinel, etc.) for a scheduledQueryAlert or general alert rule? Thank you very much!
First of all, Check the parameter.json file to avoid these kind of empty output issues and check whether the given query is valid.
Referring to MSDoc, I tried to create a sample scheduled log alert for log analytics workspace resource and verify that it was sent to the given email address. It worked and was successfully deployed as follows.
#description('Log Analytics workspace Resource ID.')
param sourceId string = ''
param location string = ''
param actionGroupId string = ''
resource logQueryAlert 'Microsoft.Insights/scheduledQueryRules#2018-04-16' = {
name: 'xxxxx log query alert'
location: location
properties: {
description: 'This is a sample alert'
enabled: 'true'
source: {
query: 'Event | where EventLevelName == "warning" | summarize count() by Computer' #query as per the requirement
dataSourceId: sourceId
queryType: 'ResultCount'
}
schedule: {
frequencyInMinutes: 15
timeWindowInMinutes: 60
}
action: {
'odata.type': 'Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.AlertingAction'
severity: '4'
aznsAction: {
actionGroup: array(actionGroupId)
emailSubject: 'xxxx Log Alert mail subject'
customWebhookPayload: '{ "alertname":"#samplealertrulename", "IncludeSearchResults":true }'
}
trigger: {
thresholdOperator: 'GreaterThan'
threshold: 1
}
}
}
}
Deployment succeeded:
Azure Portal:
Log query alert:
Mail triggered successfully:

Deploying ARM Template for an API Connection that uses OnPrem Data Gateway succeeds but the authType and gateway parameters are missing

I've been banging my head against a brick wall on this.
I'm trying to deploy via Azure DevOps pipeline, a bicep/ARM Template an API Connection that uses a Custom Connector that is linked to an On-prem API via a Data Gateway.
Here is my bicep file...
param connectionName string
param displayName string
param gatewayResourceGroup string
param gatewayName string
param connectorName string
param location string = resourceGroup().location
resource connector 'Microsoft.Web/customApis#2016-06-01' existing = {
name: connectorName
}
resource gatewayApi 'Microsoft.Web/connectionGateways#2016-06-01' existing = {
name: gatewayName
scope: resourceGroup(gatewayResourceGroup)
}
resource apiConnection 'Microsoft.Web/connections#2016-06-01' = {
name: connectionName
location: location
properties: {
displayName: displayName
nonSecretParameterValues: {
authType: 'anonymous'
#disable-next-line BCP036
gateway: {
name: gatewayName
id: gatewayApi.id
type: 'Microsoft.Web/connectionGateways'
}
}
api: {
name: connector.name
displayName: 'CONNECTOR ${connectorName}'
id: connector.id
type: 'Microsoft.Web/customApis'
}
}
}
I issue is the nonSecretParameterValues.
They don't go anywhere.
The API Connection is deployed like...
What makes this a little worse is the deployment is successful...
But if I drill into the Operation details I can see there were two issues...
"overallStatus": "Error",
"statuses": [
{
"status": "Error",
"target": "authType",
"error": {
"code": "ConfigurationNeeded",
"message": "Parameter value missing."
}
},
{
"status": "Error",
"target": "gateway",
"error": {
"code": "ConfigurationNeeded",
"message": "Parameter value missing."
}
}
],
Very frustrating.
Now I can manually add the values I intended to be there for the authType and gateway parameters after the deployment is "successful". Then my logic app that uses this API Connection and Custom Connector to Onprem Gateway works as expected.
But the exported template for the API Connection does not change between the connection having missing parameters (in the UI) or after I manually enter the values.
I have also tried added some Powershell after the deployment to pick up the connection and to try settings the "missing" values and updating the resource from there.
I can see another API Connection via Powershell which is correctly set with the authType and gateway parameters.
But when I try, to set these on the resource I need to "fix" it also complains...
I would really like to have the API Connection deployment fully via Azure DevOps pipeline.
NOTE: I find it very odd to have to use the #disable-next-line BCP036 to disable the warning in VSCode. And even opening the built ARM Template will give a warning on the "gateway" property name. I even tried replacing the "object" with just the resource id and that didn't help.
The parameters should be in a parameterValues property object:
resource apiConnection 'Microsoft.Web/connections#2016-06-01' = {
name: connectionName
location: location
properties: {
displayName: displayName
parameterValues: {
authType: 'anonymous'
gateway: {
id: gatewayApi.id
}
}
...
}
}
Suggestion:
The nonSecretParameterValues object must be in the format of a dictionary. I cannot find any hard documentation about this as a data structure, but it's mentioned several times.
nonSecretParameterValues: {
authType: 'anonymous'
gateway-name: gatewayName
gateway-id: gatewayApi.id
gateway-type: 'Microsoft.Web/connectionGateways'
}
Hope this helps.

Setup headers for web app's IP security restriction with Bicep

How to define headers for IP security restrictions of an Azure Web App, with Bicep?
Documentation says little about this, only that headers is an object.
ipSecurityRestrictions: [
{
priority: 1000
name: 'AFD'
tag: 'ServiceTag'
action: 'Allow'
ipAddress: 'AzureFrontDoor.Backend'
headers: {
x_azure_fdid : [
'3dc8865d-90c7-4b87-8edf-99726c56543a'
]
}
}
]
Error is: The 'x_azure_fdid' header is not supported!
I tried with x_azure_fdid, xazurefdid or even 'x_azure_fdid', uppercase, etc... to no avail.
Looking at Front Door documentation, the header name is X-Azure-FDID
headers: {
'x-azure-fdid': [
'3dc8865d-90c7-4b87-8edf-99726c56543a'
]
}

Deploy Azure FunctionApp container to App Service as linuxFxVersion

I am working on deploy isolated Azure Function App container on Azure App Service.
I have created App Service Plan:
"sku": {
"name": "P1v2",
"tier": "PremiumV2",
"size": "P1v2",
"family": "Pv2",
"capacity": 1
},
"kind": "linux",
with App Service:
"kind": "functionapp,linux,container"
I am using AzureWebAppContainer#1 task:
- task: AzureWebAppContainer#1
displayName: Deploy to app service
inputs:
azureSubscription: ${{ parameters.azureSubscription }}
appName: my-web-app0name
imageName: myacr01.azurecr.io/myregistryname:tag01
configurationSettings: -linuxFxVersion DOCKER|myacr01.azurecr.io/myregistryname:tag01"
appSettings: ${{ parameters.appSettings }}
resourceGroupName: my-resource-group
When the task is executed by Azure DevOps yaml pipeline in the logs there is info that:
Trying to update App Service Configuration settings. Data: {"appCommandLine":null,"windowsFxVersion":"DOCKER|myacr01.azurecr.io/myregistryname:tag01"}
I do not understand why the windowsFxVersion is used instead of linuxFxVersion.
On resource level in Azure Portal I can also see that I have windowsFxVersion set instead of linuxFxVersion.
Worth to mention that when you are clicking thought the wizard on Azure Portal with default Function App it is set as linuxFxVersion.
This is not a valid value:
-linuxFxVersion DOCKER|myacr01.azurecr.io/myregistryname:tag01"
Please find available values by executing:
az webapp list-runtimes --os linux
Result:
[
"DOTNETCORE:7.0",
"DOTNETCORE:6.0",
"DOTNETCORE:3.1",
"NODE:16-lts",
"NODE:14-lts",
"PYTHON:3.9",
"PYTHON:3.8",
"PYTHON:3.7",
"PHP:8.0",
"PHP:7.4",
"RUBY:2.7",
"JAVA:17-java17",
"JAVA:11-java11",
"JAVA:8-jre8",
"JBOSSEAP:7-java11",
"JBOSSEAP:7-java8",
"TOMCAT:10.0-java17",
"TOMCAT:10.0-java11",
"TOMCAT:10.0-jre8",
"TOMCAT:9.0-java17",
"TOMCAT:9.0-java11",
"TOMCAT:9.0-jre8",
"TOMCAT:8.5-java11",
"TOMCAT:8.5-jre8"
]
I'm using in my current project:
linuxFxVersion: 'DOTNET|6.0'
netFrameworkVersion: 'v6.0'
kind: 'functionapp,linux'
Bicep for creating the app:
resource hostingPlan 'Microsoft.Web/serverfarms#2020-10-01' = {
name: hostingPlanName
location: location
kind: 'linux'
sku: {
name: hostingPlanNameSkuName
}
properties: {
reserved: true
}
}
resource myApp 'Microsoft.Web/sites#2020-06-01' = {
name: myAppName
location: location
kind: 'functionapp,linux'
identity: {
type: 'SystemAssigned'
}
properties: {
httpsOnly: true
serverFarmId: hostingPlan.id
clientAffinityEnabled: true
siteConfig: {
alwaysOn: true
netFrameworkVersion: 'v6.0'
linuxFxVersion: 'DOTNET|6.0'
ftpsState: 'Disabled'
cors: {
allowedOrigins: [
'*'
]
}
}
}
}

Creating an Azure Queue action in a Logic App with bicep results in 'Connector not Found'

I try to create a Logic App with a Azure Queues Operation. I want to use a API connection resource to connect to the storage account. However
The API Connection resource and the Logic App itself are deployed without errors but after deployment the operation cannot find the API connection and the operation does not work.
When I manually create the operation in the portal after deployment it works.
Part of bicep for the action in logic app:
'Put_a_message_on_a_queue_(V2)' : {
runafter: {}
type: 'ApiConnection'
inputs: {
body: 'start'
host: {
connection: {
name: azureQueueConnectionId
}
}
method: 'post'
path: '/v2/storageAccounts/${storageAccountName}/queues/dailymaintenance/messages'
}
}
The API connection:
resource logicAppConnection 'Microsoft.Web/connections#2016-06-01' = {
name: name
location: resourceLocation
properties: {
displayName: 'connect-to-${externalResourceName}'
parameterValues: {
storageaccount: storageAccountReference.name
sharedkey: storageAccountReference.listKeys().keys[0].value
}
api: {
name: 'azurequeues'
displayName: 'Azure Queues'
description: 'Azure Queue storage provides cloud messaging between application components. Queue storage also supports managing asynchronous tasks and building process work flows.'
iconUri: 'https://connectoricons-prod.azureedge.net/releases/v1.0.1546/1.0.1546.2665/azurequeues/icon.png'
brandColor: '#0072C6'
id: '${subscription().id}/providers/Microsoft.Web/locations/${resourceLocation}/managedApis/azurequeues'
type: 'Microsoft.Web/locations/managedApis'
}
testLinks: [
{
requestUri: '${environment().resourceManager}/subscriptions/${subscription().id}/resourceGroups/${resourceGroup().name}/providers/Microsoft.Web/connections/${name}/extensions/proxy/testConnection?api-version=2016-06-01'
method: 'get'
}
]
}
}
output id string = logicAppConnection.id
This is de error I get in the Logic App Designer: "Connector not found"
I am wondering why this is not working as expected and if someone already managed to do this with bicep?
Thanks in advance
AFAIK, It is believed that if you deploy the Template, both API Connections will be created, but you will have to manually update the connection inside logic apps by adding your service credentials. This is because, in order to complete the API connection, you must provide consent, which is not available in the template.
This script will retrieve a consent link for an OAuth Logic Apps connector connection. The consent link will then be opened, and authorization will be completed to allow a connection to be established.
For more inforation please refer this blog|BICEP-Create API connections for Logic Apps & Deploy Logic Apps & API Connection with ARM
It turned out the API connection name must be set as follows to make this work
actions: {
'Put_a_message_on_a_queue_(V2)' : {
runafter: {}
type: 'ApiConnection'
inputs: {
body: 'start'
host: {
connection: {
name: '#parameters(\'$connections\')[\'azurequeues\'][\'connectionId\']'
}
}
method: 'post'
path: '/v2/storageAccounts/${storageAccountName}/queues/dailymaintenance/messages'
}
}
}
}
parameters: {
'$connections': {
value: {
azurequeues: {
connectionId: logicAppConnection.id
connectionName: 'LogicAppConnection'
id: '/subscriptions/xxxxxxxxxxx/providers/Microsoft.Web/locations/westeurope/managedApis/azurequeues'
}
}
}
}
After I deployed this, it worked!

Resources